[0 installation](# 0-install) [1 Check settings](# 1-Check settings) 2 Add basic schema [2.1 How to add](# 21-How to add) [2.2 Confirmation method](# 22-Confirmation method) 3 Add password policy [3.1 Add Schema](# 31-Add Schema) [3.2 Confirmation method](# 32-Confirmation method) [4 Server administrator password setting](# 4-Server administrator password setting) [4.1 Creating a file storage directory](# 41-Create a file storage directory) [4.2 Generate Password Hash Value](# 42-Generate Password Hash Value) [4.3 Create File](# 43-Create File) [4.4 Added](# 44-Added) [4.5 Confirmation](# 45-Confirmation) [4.6 How to change](# 46-How to change) [4.6.1 Generate password hash value](# 461-Generate password hash value) [4.6.2 Create File](# 462-Create File) [4.6.3 Confirmation](# 463-Confirmation) [5 Data directory settings](# 5-Data directory settings) [5.1 Check current settings](# 51-Check current settings) [5.2 Change settings (initial settings)](# 52-Change settings Initial settings) [5.2.1 File Preparation](# 521-File Preparation) [5.2.2 Execute](# 522-Execute) [5.2.3 Confirmation of settings after change](# 523-Confirmation of settings after change) [5.3 Change settings (change domain name)](# 53-Change settings Change domain name) [5.3.1 File Preparation](# 531-File Preparation) [5.3.2 Execute](# 532-Execute) [5.3.3 Confirmation of settings after domain change](# 533-Confirmation of settings after domain change) 6 Registration of the organization that manages the basic organization / user account / organization that manages the group [6.1 File Preparation](# 61-File Preparation) [6.2 Registration](# 62-Registration) [6.3 Confirmation](# 63-Confirmation) 7 Network Settings [7.1 IPv4 Settings](# 71-ipv4 Settings) [7.2 Firewall settings](# 72-firewall settings) [7.3 Host name setting](# 73-Host name setting) [7.4 Simple name resolution](# 74-Simple name resolution) [7.5 Encryption](# 75-Encryption) [7.6 Client Machine Settings](# 76-Client Machine Settings) [8 How to add users](# 8-How to add users) [8.1 UNIX command execution](# 81-unix command execution) [8.2 File Preparation](# 82-File Preparation) [8.3 Add to LDAP Directory](# 83-Add to ldap directory) [8.4 How to modify user password](# 84-How to modify user password) [8.4.1 File Preparation](# 841-File Preparation) [8.4.2 Execute](# 842-Execute) [8.5 How to force the user password to change](# 85-How to force the user password to change) [8.5.1 File Preparation](# 851-File Preparation) [8.5.2 Execution](# 852-Execution) Add 9 groups [9.1 File Preparation](# 91-File Preparation) [9.2 Execute](# 92-Execute) [10 Load Password Policy Module](# 10-Load Password Policy Module) [10.1 Addition of organizational unit for password](# 101-Addition of organizational unit for password) [10.2 Add Password Module](# 102-Add Password Module) [10.3 Check if password module has been added](# 103-Check if password module has been added) [10.4 Add Overlay](# 104-Add Overlay) [10.4.1 Database check](# 1041-Database check) [10.4.2 File Preparation](# 1042-File Preparation) [10.4.3 Add overlay](# 1043-Add overlay) [10.5 Password policy input](# 105-Password policy input) [10.5.1 Confirmation of contents](# 1051-Confirmation of contents) [10.5.2 File Preparation](# 1052-File Preparation) [10.5.3 Execution](# 1053-Execution) [10.5.4 Confirmation](# 1054-Confirmation) [10.5.5 Change settings](# 1055-Change settings) [10.5.6 Password Policy Test](# 1056-Password Policy Test) [11 Unlock Password](# 11-Unlock Password) [11.1 File](# 111-File) [11.2 How to unlock](# 112-How to unlock) 12 Edit file descriptor limit [12.1 Check current settings](# 121-Check current settings) [12.2 Change settings](# 122-Change settings) [12.3 Check if the settings are reflected](# 123-Check if the settings are reflected) 13 Log Rotate Settings [13.1 Editing rsyslog.conf](# 131-Editing rsyslogconf) [13.2 Restarting the rsyslog service](# 132-Restarting the rsyslog service) [13.3 Add slapd to logrotate settings](# 133-Add slapd to logrotate settings) 14 SELinux Settings 15 Convenient Commands 16 Reference Information
Goal: Set up a secure LDAP server and check the LDAP entry of the server from the client machine.
Domain: intrajp-test.org, intrajp-test2.org LDAP server: ldap.intrajp-test.org Administrator: Manager LDAP client for testing: client.intrajp-test.org Construction environment: VirtualBox Network: Internal network (172.30.1.0/24) You can add multiple users and their groups. SELinux should be enabled for added security. By the way, the ldif file provided by OpenLDAP exists in/etc/openldap/schema. Note: If there is a space at the end of the ldif file, an error will occur and the cause is difficult to understand, so check carefully before submitting.
# yum install openldap openldap-servers openldap-clients
# cp -p /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/DB_CONFIG
# systemctl start slapd
# systemctl enable slapd
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
(Display immediately after installation)
dn: cn=config
dn: cn={0}core,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}hdb,cn=config
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
(display)
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
(display)
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}ppolicy,cn=schema,cn=config
# mkdir /root/ldif
# slappasswd
(Make a note of the output hash string)
Note: If there is a space at the end, an error will occur, so check carefully.
# vim /root/ldif/ldaprootpasswd.ldif
====
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: <Hash string output by slappasswd>
====
# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldaprootpasswd.ldif
(display) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcRootPW
# slappasswd
(Make a note of the output hash string)
# vim /root/ldif/ldaprootpasswd-replace.ldif
====
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: <Hash string output by slappasswd>
====
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcRootPW
# ldapsearch -LLL -Y EXTERNAL -H Ldapi:/// -b 'olcDatabase={2}hdb,cn=config'
(display) dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
# vim /root/ldif/ldapdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=intrajp-test,dc=org" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=intrajp-test,dc=org
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=intrajp-test,dc=org
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: <Hash string output by slappasswd>
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="Manager,dc=intrajp-test,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=intrajp-test,dc=org" write by * read
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldapdomain.ldif
# ldapsearch -LLL -Y EXTERNAL -H Ldapi:/// -b 'olcDatabase={2}hdb,cn=config'
(display)
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcSuffix: dc=intrajp-test,dc=org
olcRootDN: cn=Manager,dc=intrajp-test,dc=org
olcRootPW:
Try changing to intrajp-test2.org.
# vim /root/ldif/ldapdomain-replace.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=intrajp-test2,dc=org" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=intrajp-test2,dc=org
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=intrajp-test2,dc=org
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: <Hash string output by slappasswd>
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="Manager,dc=intrajp-test,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=intrajp-test2,dc=org" write by * read
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldapdomain-replace.ldif
(display)
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcSuffix: dc=intrajp-test,dc=org
olcRootDN: cn=Manager,dc=intrajp-test2,dc=org
olcRootPW:
# vim /root/ldf/baseldapdomain.ldif
dn: dc=intrajp-test2,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: intrajp-test2 org
dc: intrajp-test2
dn: cn=Manager,dc=intrajp-test2,dc=org
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=intrajp-test2,dc=org
objectClass: organizationalUnit
ou: People
dn: ou=Goup,dc=intrajp-test2,dc=org
objectClass: organizationalUnit
ou: Group
Add the above entry to the LDAP directory with the following command.
# ldapadd -x -D cn=Manager,dc=intrajp-test2,dc=org -W -f /root/ldif/baseldapdomain.ldif
(display) Enter LDAP Password: adding new entry "dc=intrajp-test2,dc=org" adding new entry "cn=Manager,dc=intrajp-test2,dc=org" adding new entry "ou=People,dc=intrajp-test2,dc=org" adding new entry "ou=Group,dc=intrajp-test2,dc=org"
# ldapsearch -x -LLL -b "dc=intrajp-test2,dc=org" "(objectClass=*)"
(display) dn: dc=intrajp-test2,dc=org objectClass: top objectClass: dcObject objectClass: organization o: intrajp-test2 org dc: intrajp-test2
dn: cn=Manager,dc=intrajp-test2,dc=org objctClass: organizationalRole cn: Manager description: Directory Manager
dn: ou=People,dc=intrajp-test2,dc=org objectClass: organizationalUnit ou: People
dn: ou=Group,dc=intrajp-test2,dc=org objectClass: organizationalUnit ou: Group
# vim /etc/sysconfig/network-scripts/ifcfg-enp0s3
====
...
#BOOTPROTO=dhcp
BOOTPROTO=static
IPADDR=172.30.1.2
NETMASK=255.255.255.0
...
====
# systemctl restart network
# ip a
Make sure the IP address is 172.30.1.2.
# firewall-cmd --add-service=ldap --permanent
# hostnamectl set-hostname --static shibbolethidp.intrajp-test2.org
Shut down once, make the network "internal network", and start.
Set each machine name in/etc/hosts of each machine.
# vim /etc/hosts
====
172.30.1.1 ldap.intrajp-test.org
172.30.1.2 shibbolethidp.intrajp-test2.org
172.30.1.101 client1.intrajp-test.org
====
Create a certificate on the server.
Private key creation
# cd /etc/pki/tls/certs/
# make ldaps.key
# openssl rsa -in ldaps.key -out ldaps.key
# ls -lt
(display) ldaps.key
Request form creation
# make ldaps.csr
JP KANAGAWA YOKOHAMA Common Name:shibbolethidp.intrajp-test2.org
Check if CSR is done.
# ls -lt
Certificate creation
# openssl req -x509 -days 3650 -in ldaps.csr -key ldaps.key -out ldaps.crt
Check if the certificate is made.
# ls -lt
Move files
# mv ldaps.* /etc/openldap/certs
# chown ldap:ldap /etc/openldap/certs/ldaps.*
Also copy ca-bundle.
# cp /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs
Check the file
# ls -lt /etc/openldap/certs
Check config once
# ldapsearch -LLL -Y EXTERNAL ldapi:/// -b cn=config
Creating a configuration file
# vim /root/ldif/ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldaps.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldaps.key
Configuration
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ssl.ldif
(display) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
If the following error is output here, it means that the authority of the certificate is incorrect or the Common Name is not the FQDN (I made a mistake here and got stuck). Also note that if you forget to copy ca-bundle.crt, you will get the same error. (When an error display is output) ldap_modify: Other (e.g., implementation specific) error (80)
Make ldaps available
# vim /etc/sysconfig/slapd
(Change before) SLAPD_URLS="ldapi:/// ldap:///" (After change) SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
# firewall-cmd --add-service=ldaps --permanent
Service restart
# systemctl restart slapd
# hostnamectl set-hostname client1.intrajp-test.org
# yum install openldap openldap-clients nss-pam-ldapd
# vim /etc/sysconfig/network-scripts/ifcfg-enp0s3
#BOOTPROTO=dhcp
BOOTPROTO=static
IPADDR=172.30.1.101
NETMASK=255.255.255.0
# vim /etc/hosts
172.30.1.1 ldap.intrajp-test.org
172.30.1.2. shibbolethidp.intrajp-test2.org
172.30.1.101 client1.intrajp-test.org
Ping the server from the client machine.
$ ping ldap.intrajp-test.org
$ ping shibbolethidp.intrajp-test2.org
# systemctl start oddjobd
# systemctl enable oddjobd
# vim /etc/openldap/ldap.conf
(Add the following)
====
TLS_REQUEST allow
====
# authconfig --enableldap --enableldapauth --ldapserver=ldaps://shibbolethidp.intrajp-test2.org --ldapbasedn="dc=intrajp-test2,dc=org" --enablemkhomedir --update
The above command has edited /etc/openldap/ldap.conf.
# shutdown -r now
By the way, why can I log in as an intrajp-user5 user even if I change the server or stop the server? Is it because you are reading the cache?
I tried disabling sssd and now I can't log in. It looks like you're reading the sssd cache. Well, let's put it back.
As written here, even if you delete the cache file, you can not log in if you stop the server. https://www.rootusers.com/how-to-clear-the-sssd-cache-in-linux/
Earlier, I set the shibbolethidp.intrajp-test2.org server as an LDAP server and was able to log in on the client machine even though there was no intrajp-user5 user there because I was reading the sssd cache. .. After deleting all the cache files on the client machine, the intrajp-user5 user can no longer log in. Now let's restore the LDAP server settings to the original ldap.intrajp-test.org server.
# authconfig --enableldap --enableldapauth --ldapserver=ldaps://ldap.intrajp-test.org --ldapbasedn="dc=intrajp-test,dc=org" --enablemkhomedir --update
Now you can log in as an intrajp-user5 user from the client machine again.
# useradd <User name>
# passwd <User name>
# less /etc/passwd | grep <User name>
(Remember the uidNumber)
# slappasswd
(Copy the SHA output)
# vim /root/ldif/ldapuser.ldif
====
dn: uid=<User name>,ou=People,dc=intrajp-test,dc=org
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: <User name>
uid: <User name>
uidNumber: <id number>
gidNumber: <Same as above>
homeDirectory: /home/<User name>
userPassword: <SHA copied>
loginShell: /bin/bash
gecos: <User name>
ShadowLastChange: 0
ShadowMax: 0
ShadowWarning: 0
pwdReset: TRUE
====
# ldapadd -x -D cn=Manager,dc=intrajp-test,dc=org -W -f /root/ldif/ldapuser.ldif
# vim /root/ldif/ldapuser-replace.ldif
====
dn: uid=intrajp-user1,ou=People,dc=intrajp-test,dc=org
changetype: modify
replace: userPassword
userPassword: <String output by slappasswd>
====
# ldapmodify -x -D cn=Manager,dc=intrajp-test,dc=org -W -f /root/ldif/ldapuser-replace.ldif
# vim /root/ldif/ldapuser-replace-pwdreset.ldif
====
dn: uid=intrajp-user1,ou=People,dc=intrajp-test,dc=org
changetype: modify
replace: pwdReset
pwdReset: TRUE
====
# ldapmodify -x -D cn=Manager,dc=intrajp-test,dc=org -W -f /root/ldif/ldapuser-replace-pwdreset.ldif
# vim /root/ldif/ldapgroup.ldif
====
dn: cn=<group name>,ou=Group,dc=intrajp-test.dc=org
objectClass: posixGroup
cn: <group name>
gidNUMBER: <id number>
====
# ldapadd -x -D cn=Manager,dc=intrajp-test,dc=org -W -f /root/ldif/ldapgroup.ldif
Add an organaizationalUnit called policies and try to include the password policy in it.
# vim /root/ldif/oupolicy.ldif
====
dn: ou=policies,dc=intrajp-test,dc=org
objectClass: top
objectClass: organizationalUnit
ou: policies
description: Password plicy
====
# ldapadd -x -W -D cn=Manager,dc=intrajp-test,dc=org -f /root/ldif/oupolicy.ldif
Create LDIF file for adding modules
# vim /root/ldif/ppolicymodule.ldif
====
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: ppolicy.la
====
to add.
# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldif/ppolicymodule.ldif
I also referred to the following. https://kifarunix.com/implement-openldap-password-policies/amp/ https://meddeb.net/pqchecker/
Make sure the ppolicy.la module is loaded in the LDAP database.
# slapcat -n 0 | grep -i module
(display) ...(snip)... olcModuleLoad: {0}ppolicy.la olcModuleLoad: {1}ppolicy ...(snip)...
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase
Go with {2} hdb.
# vim /root/ldif/ppolicyoverlay.ldif
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=intrajp-test,dc=org
# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldif/ppolicyoverlay.ldif
# man slapo-ppolicy
See also here (there is an explanation such as pwdMinAge).
https://tools.ietf.org/id/draft-behera-ldap-password-policy-10.html
# vim /root/ldif/ppolicy_only.ldif
dn: cn=default,ou=policies,dc=intrajp-test,dc=org
cn: default
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdCheckModule: check_password.so
pwdAttribute: userPassword
pwdLockout: TRUE
pwdMaxFailure: 5
pwdLockoutDuration: 300
pwdCheckQuality: 1
pwdMinLength: 8
pwdSafeModify: FALSE
pwdMaxAge: 7776000
pwdExpireWarning: 604800
pwdInHistory: 2
pwdGraceAuthNLimit: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdReset TRUE
# ldapadd -x -W -D cn=Manager,dc=intrajp-test,dc=org -f /root/ldif/ppolicy.ldif
(Verification)
# ldapsearch -x -H ldap:/// -D cn=Manager,dc=domain,dc=local -W -b dc=domain,dc=local "(objectClass=pwdPolicy)" -LLL
# vim /etc/openldap/check_password.conf
(Changed to the following value)
====
useCracklib 1
minPoints 3
minUpper 1
minLower 1
minDigit 1
minPunct 1
====
The meaning of each value is as follows.
useCracklib : integer. Default value : 1. Set it to 0 to disable cracklib verification. It has no effect if cracklib is not included at compile time.
minPoints : integer. Default value: 3. Minimum number of quality points a new password must have to be accepted. One quality point is awarded for each character class used in the password.
minUpper: integer. Defaut value: 0. Minimum upper characters expected.
minLower: integer. Defaut value: 0. Minimum lower characters expected.
minDigit: integer. Defaut value: 0. Minimum digit characters expected.
minPunct: integer. Defaut value: 0. Minimum punctuation characters expected.
# ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=intrajp-user1,ou=people,dc=intrajp-test,dc=org"
New password: password
Re-enter new password: password
...
Result: Constraint violation (19)
It seems to have worked.
Try to lock the password incorrectly 5 times or more from the client. Check on the server.
# ldapsearch -x -W -H ldap:/// -D "cn=Manager,dc=intrajp-test,dc=org" -b "dc=intrajp-test,dc=org" pwdAccountLockedTime=* pwdAccountLockedTime
(display)
...
# intrajp-user1, People, intrajp-test.org
dn: uid=intrajp-user1,ou=People,dc=intrajp-test,dc=org
pwdAccountLockedTime: 20210103084740Z
Create and apply unlock file
# vim /root/ldif/ppolicy-unlock.ldif
dn:uid=intrajp-user1,ou=people,dc=intrajp-test,dc=org
changetype:modify
delete: pwdAccountLockedTime
# ldapmodify -x -D "cn=Manager,dc=intrajp-test,dc=org" -W -f /root/ldif/ppolicy-unlock.ldif
When I checked it again, it was unlocked.
# vim /root/ldif/ppolicy-unlock.ldif
====
dn:uid=intrajp-user1,ou=people,dc=intrajp-test,dc=org
changetype:modify
delete: pwdAccountLockedTime
====
# ldapmodify -x -D "cn=Manager,dc=intrajp-test,dc=org" -W -f /root/ldif/ppolicy-unlock.ldif
# grep "Max open files" /proc/$(pidof slapd)/limits
(display) Max open files 1024 4096 files
# mkdir /etc/systmd/system/slapd.service.d
# vim /etc/systemd/system/slapd.service.d/override.conf
====
[Service]
LimitNOFILE=65536
LimitNPROC=65536
====
# systemctl daemon-reload
# systemctl restart slapd
# grep "Max oprn files" /proc/$(pidof slapd)/limits
(display) Max open files 65536 65536 files
# shutdown -r now
# grep "Max open files" /proc/$(pidof slapd)/limits
(display) Max open files 65536 65536 files
Cause rsyslog to spit out slapd logs.
# vim /etc/rsyslog.conf
Add the following
====
local4.* /var/log/slapd/slapd.log
====
# systemctl restart rsyslog
# vim /etc/logrotate.d/syslog
====
Add the following
/var/log/slapd/slapd.log
====
SELinux is set to Enforcing to improve security.
Verification
# sestatus
(display) enforcing
# ldapsearch -x -LLL -b dc=intrajp-test,dc=org
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase
Check the schema
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
# slapcat -n 0
Check loaded modules
# slapcat -n 0 | grep -i module
# ldapsearch -x -H ldap:/// -D cn=Manager,dc=intrajp-test,dc=org -W -b dc=intrajp-test,dc=org
# ldapsearch -h localhost -x -W -D "cn=Manager,dc=intrajp-test,dc=org" -b 'ou=People,dc=intrajp-test,dc=org'
(Mainly referred to) https://www.tecmint.com/install-openldap-server-for-centralized-authentication/ (Other references) https://qiita.com/y-araki-qiita/items/6b2dcbf1a39a969d8024 https://qiita.com/gzock/items/f1ac346304653a92c8cb https://qiita.com/pa_pa_paper/items/c3d7f4a28729045167d2 http://kawakamasu.hatenablog.com/entry/2017/06/08/011422 https://www.conversion.co.jp/technology/blog/-/detail/=/blog_id=5836119 https://www.openldap.org/doc/admin24/slapdconf2.html https://nonylene.hatenablog.jp/entry/2017/08/19/022137 https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap (About client machine) https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/ (reference) https://www.server-world.info/query?os=CentOS_7&p=openldap&f=4 (Reference 2) https://www.nedia.ne.jp/blog/tech/2015/09/08/5570 (Further reference) https://www.unix-power.net/networking/post-748
Recommended Posts